Synchronizing ESXi/ESX time with a Microsoft Domain Controller
search cancel

Synchronizing ESXi/ESX time with a Microsoft Domain Controller

book

Article ID: 313888

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

An ESXi host configured to use a Microsoft Windows 2003 or newer Domain Controller as a time source never synchronizes its clock with a default configuration.

Resolution

Workaround

When using Active Directory integration in vSphere ESXi, it is important to synchronize time between ESXi and the directory service to facilitate the Kerberos security protocol.

The default settings should be left unchanged when ESXi is joined to the domain and not to configure NTP. If NTP is to be used, the active directory server must be configured to use a reliable time source (NTP) itself.

ESXi support synchronization of time with an external NTPv3 or NTPv4 server compliant with RFC 5905 and RFC 1305. Microsoft Windows 2003 and newer use the W32Time service to synchronize time for windows clients and facilitate the Kerberos v5 protocol. For more information, see the Microsoft Knowledge Base article 939322 and How the Windows Time Service Works.

By default, an unsynced Windows server chooses a 10-second dispersion and adds to the dispersion on each poll interval that it remains in sync. An ESXi host, by default, does not accept any NTP reply with a root dispersion greater than 1.5 seconds.

Configure Windows NTP Client

ESXi requires an accurate time source to synchronize with. To use a Windows 2003 or newer server, it should be configured to get its time from an accurate upstream NTP server. For more information, see the Microsoft Knowledge Base article 816042.

Use the registry editor on the Windows server to make the configuration changes:

Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that there is a current and valid backup of the registry and the virtual machine. 

  1. Enable NTP mode:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. Set the Type value to NTP

  2. Enable the NTP Client:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    2. Set the AnnounceFlags value to 5.

  3. Specify the upstream NTP servers to sync from:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders
    2. Set the NtpServer value to a list of at least 3 NTP servers.

      Example: The value might be set to:

      1.pool.ntp.org,0x1 2.pool.ntp.org,0x1 3.pool.ntp.org,0x1

      Note: On a Windows 2008 Domain Controller, NtpServer is located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters.

  4. Specify a 15-minute update interval:
     
    1. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
    2. Set the SpecialPollInterval value to 900.

  5. Restart the W32time service for the changes to take effect.

Configure ESXi NTP and Likewise Clients

vSphere Client

Configure ESXi/ESX to synchronize time with the Windows server Active Directory Domain Controller: 

  1. Connect to the ESXi host or vCenter Server using the vSphere Client.
  2. Click the ESXi host in the inventory.
  3. Click the Configuration tab.
  4. Under the Software heading, click Time Configuration.
  5. Click Properties.
  6. Ensure that the NTP Client Enabled option is selected.
  7. Click Options.
  8. Click NTP Settings.
  9. Click Add and specify the fully qualified domain name or IP address of the Windows server Domain Controller(s).
  10. Click OK.
  11. Click OK to save the changes.
 
ESXi 6.x/ 7.0.1/ 7.0.2
  1. Connect to the ESXi host using an SSH session. For more information, see Using ESXi Shell in ESXi.
  2. Open the /etc/ntp.conf file in a text editor.
     
  3. Add the tos maxdist command on its own line:

    tos maxdist 30
     
  4. Save and close the configuration file.
  5. Access the likewise shell:

    /usr/lib/vmware/likewise/bin/lwregshell

    Note: If the command fails with the below error:

    lwregshell (error = 40700 - LWREG_ERROR_NO_SUCH_KEY_OR_VALUE)

    start the likewise service and then run the command to access the likewise shell:

    /etc/init.d/lwsmd start
     
  6. Navigate to the HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory directory with this command:

    cd HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory
     
  7. Run this command to change the synchronization time:

    set_value SyncSystemTime 0
     
  8. Exit the shell by typing quit and pressing Enter.
  9. Refresh the lsass service with this command:

    /usr/lib/vmware/likewise/bin/lwsm refresh lsass

    For example:

    /usr/lib/vmware/likewise/bin/lwsm refresh lsass

    Refreshing service: lsass
     
  10. To verify the changes to the registry key, run this command:

    /usr/lib/vmware/likewise/bin/lwregshell list_values "[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]"

For ESXi 7.0.3, see vSphere ESXi 7.0 U3 and later versions NTP configuration steps loading a text file containing NTP configuration commands.

Once the configuration changes are complete, ensure that the time is synchronized between the ESXi host and the Windows server. For more information, see Troubleshooting NTP on ESX and ESXi.

Additional Information

Powered by Wolken Software